b"                       Pension Benefit Guaranty Corporation\n                                                        Office of Inspector General\n                                        1200 K Street, N.W., Washington, D.C. 20005-4026\n\n                                                                             February 1, 2005\n\n                                       MEMORANDUM\n\n\nTO:             Bradley Belt\n                Executive Director\n\nFROM:           Robert L. Emmons\n                Inspector General\n\nSUBJECT:        PBGC Email Retention Policy\n\nDuring my monthly update meeting with you in December, I agreed to benchmark PBGC\xe2\x80\x99s email\nretention policies with other federal agencies to identify best practices. As we discussed,\nexcessive email retention increases cost and impacts on the operability of our networks.\n\nIn response to your request, I asked Luther Atkins to benchmark with other Federal Agencies.\nSeven of the eight federal agencies we contacted provided us with their policy. As you might\nexpect, retention policies vary widely, but there are generally two approaches to managing email.\nThe first is a voluntary approach, where it is left to the individual employee to monitor and\ncontrol the volume of emails that are retained. The second approach is to take a more proactive\nrole by limiting the amount of email storage space that each employees is allowed.\n\nBased on our benchmarking, the proactive approach is used by six of the seven agencies that\nresponded (the exception was the Federal Reserve Board, who uses a voluntary approach). The\nproactive approach improves an agency\xe2\x80\x99s ability to manage resources, reduce cost and minimize\nthe risk of retaining excessive amounts of email. For example, three agencies automatically\ndelete or archive emails in a user\xe2\x80\x99s mailbox after a specified period of time (e.g. 30, 45, or 90\ndays).\n\nWe also noted that Department of Homeland Security follows Microsoft\xe2\x80\x99s best practices for\nExchange Database management:\n\n        Without a conscientious approach to capacity management, the size of your\n        information store databases will quickly get out of control. We suggest that you\n        set a maximum information store size and then manage the information store\n        within those limits.\n\nPBGC\xe2\x80\x99s email policy has always been to use a voluntary approach, with employees having the\nprimary responsibility for managing the volume of email retained on our computers. OIG has\ndiscussed email retention with Office of Information Technology in the past, and they share our\nconcern with the volume of email retained by employees. When I discussed our most recent\nwork with Rick Hartt, he said that several initiatives have been implemented to reduce the amount\nof email. The most recent initiative included an information campaign to emphasize the\nimportance of archiving emails.\n\x0cRick also provided me with the draft policy that covers the use of email that he is discussing with\nthe union. We believe the policy is a step in the right direction, but there are two aspects of the\npolicy that based on our benchmarking, are much more liberal than other Agencies. First, the\npolicy provides for a 400 megabyte limit on each employees mailbox. The norm in other\nagencies was generally 100 megabytes. Second, the policy does not specify the actions that will\nbe taken when the policy is not followed.\n\nMost agencies have a policy that requires automatic archiving of emails after a specified period of\ntime (e.g. 30, 45, or 90 days), or when the mailbox exceeds size limits. At two agencies, the\npolicy was draconian when compared to our policy. At Federal Deposit Insurance Corporation,\nusers can\xe2\x80\x99t send outgoing emails when mailboxes exceed 100 megabytes. At Federal Trade\nCommission, email older than 45 days is automatically deleted and cannot be recovered.\n\nWhile we don\xe2\x80\x99t advocate a draconian policy, we do think proactive controls would improve\nPBGC\xe2\x80\x99s ability to manage email effectively. In our recent investigations that were referred to us\nby the Office of Information Technology, we noted that a large number of employees stored\nexcessive amounts of emails, and many employees stored a large volume of non-business files on\ncomputers. Based on our findings and our benchmarking, we suggest that you consider\nstrengthening the draft email retention policy by reducing the authorized size of mailboxes and\nrequiring automatic archiving when employees exceed mailbox size limits.\n\nI have discussed this memorandum with Rick Hartt. A summary of the benchmarking information\nwe gathered is attached. If you have any questions or need additional information, let me know.\n\n\ncc: Rick Hartt\n\x0c        Results of Benchmarking on Email Retention\n\nThe following are summarizations of how email is administered, controlled, or used in a\nsample of federal agencies.\n\nFederal Trade Commission\n\n    \xc2\x83    The FTC\xe2\x80\x99s policy regarding e-mail is available on the intranet and details the\n         types of e-mail records that must be saved and the proper procedure for saving\n         these e-mails.\n    \xc2\x83    The agency\xe2\x80\x99s e-mail system will not provide users with auto-archive\n         functionality.\n    \xc2\x83    All e-mails older than 45 days in agency mailbox folders will be deleted\n         automatically and they will not be recoverable.\n    \xc2\x83    E-mail archives are not an appropriate records storage system and should be\n         used to store only items that are of temporary value regarding matters or issues\n         that are currently pending.\n    \xc2\x83    All employees must review the e-mails that they have archived and delete\n         everything that the agency is not required to retain or that is no longer\n         applicable to open matters.\n\nDepartment of Energy\n\n   \xc2\x83     E-mail is not purged until an individual\xe2\x80\x99s mailbox is full. Once full, a network\n         warning appears telling the user to clean out old e-mails. The message re-\n         appears until the situation is addressed.\n   \xc2\x83     Auto-archiving can be set at the individual\xe2\x80\x99s discretion (e.g., every 90 days). All\n         archived messages are moved off the mail system and placed in stand alone\n         folders/files.\n\nFederal Deposit Insurance Corporation\n\n   \xc2\x83     Mailbox size is limited to 100MB. Once that limit is met, e-mails cannot be sent\n         (but can be received) until the size of the mailbox is reduced.\n   \xc2\x83     On a weekly basis, messages in the mailbox \xe2\x80\x9cSent Items\xe2\x80\x9d folder that are older\n         than 21 days are moved to a \xe2\x80\x9cCleanup\xe2\x80\x9d folder in the mailbox. An e-mail is sent\n         notifying the user of what action was taken.\n   \xc2\x83     Messages in the \xe2\x80\x9cCleanup\xe2\x80\x9d folder are retained for approximately 40 days longer\n         before they are actually deleted.\n\nDepartment of Labor \xe2\x80\x93 Bureau of Labor Statistics\n\n    \xc2\x83    Once a mailbox reaches 80MB, a warning e-mail message is sent to the user\n         and e-mail can still be received, but not sent.\n    \xc2\x83    Once a mailbox reaches 100MB, the user cannot send or receive any e-mail.\n    \xc2\x83    Deleted e-mail is retained in the e-mail server for 30 days before being removed.\n    \xc2\x83    Auto-archive is set and maintained at the user\xe2\x80\x99s discretion.\n    \xc2\x83    Cannot automatically forward any e-mail using out-of-office assistant or inbox\n         assistant.\n\x0cWe also requested information from other agencies. These either sent policy statements\non the use of e-mail not including any information on the configuration or\nadministration of e-mail, or did not respond at all. The other agencies from who we\nrequested information and their response were as follows:\n\nSocial Security Administration\n\nAttached are the e-mail policy and other information provided by SSA. One interesting\nitem is that they limit the size of e-mail attachments sent through the SSA e-mail\nsystem to 5MB. They also include their policy on deleting any file extension of \xe2\x80\x9c+.vbs\xe2\x80\x9d\nor \xe2\x80\x9c.exe\xe2\x80\x9d.\n\nBoard of Governors of the Federal Reserve Board\n\nThey also provided their high-level e-mail policy statement that is available on their\nintranet. It is very similar to the policy statement at PBGC.\n\nDepartment of Homeland Security\n\nThis agency responded that they follow the Best Practices for Exchange Database\nManagement from Microsoft. The following is one interesting item was highlighted in\nthe document:\n\n       Capacity Management\n       An important issue when planning your Exchange system is determining how\n       much disk space you'll need for the information store. Without a conscientious\n       approach to capacity management, the size of your information store databases\n       will quickly get out of control. We suggest that you set a maximum information\n       store size and then manage the information store within those limits. You can\n       get a good idea of how big your databases will grow by setting mailbox quotas\n       and tracking the growth of the information store over time. You should have\n       enough free space to support the messaging needs of the users on the server,\n       but mailbox storage limits should be set such that users don't consume\n       excessive amounts of disk resources.\n\nDepartment of Education\n\nResponse not received in time to be included in this document.\n\x0c"